NSA surveillance and privacy has become a hot topic. Bruce Schneier gave the ShmooCon Keynote on this topic. Julian Assange addressed SXSW on this topic. We are intensely suspicious of Government surveillance, and perhaps rightly so; the Government is in a unique position to collect, and potentially abuse, personal information. But, as a country, we are actively discussing oversight of this surveillance, and how it relates to privacy. Adm. Mike Rogers, the nominee to lead NSA and CyberCommand testifies about providing additional transparency. Some actual bi-partisan legislative changes may be in the works.
However, there is an even more insidious surveillance system, one that impinges our privacy every day in almost every aspect of our lives. It collects detailed personal data about who you are, how much money you make, where you are at any given time. It seeks to collect enough information that unaccountable external groups can repeatedly influence your behavior without you realizing what is going on. Some of the members of this cabal include FitBit, Google, Facebook…well, ok, the secret is out. In fact, this describes our current e-commerce system. The scope is even wider than that, including also your activities in both the real world and the internet, whether or not you approve or engage (other than clicking “Agree” on one of those 40-page user agreements).
Yet, there is no outcry. No headlines or Congressional hearings. Well, the FTC is a little concerned. And the CIA is trying to figure it out…their CTO, Gus Hunt, says that FitBit can identify you with high accuracy just by how you walk. Saying that this type of pervasive, invasive surveillance is bad when the Government does it, but OK if companies do it, seems hopelessly naive. We should have a set of standards that apply to both Government and industry, perhaps with some explicit differences in expectations given the different nature of these entities. So here is my list of considerations for assessing acceptable behavior in collecting information:
1. Utility (why)
2. Transparency (how, when, where)
3. Security (appropriate)
4. Boundary (what)
5. Accountability (who)
In a later post I’ll explore these considerations in more detail with respect to NSA and to commercial collectors of information, to grade their performance.